Shamoon, a two-stage targeted attack

by on | Leave a comment
Filed under Industry News, Research Lab and tagged , , , , , , , , .

Whenever there is a new report about a targeted attack, the first thing you might ask yourself is: “What is the intention?”

Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a zero-day vulnerability in order to silently install a sophisticated malware?

Today, Seculert received information about a new attack targeting several specific companies in a few industries. The attack is called “Shamoon,” due to a string of a folder name within the malware executable (“C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb”).

The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the Master Boot Record (MBR) of the computer. Why would someone wipe files in a targeted attack and make the machine unusable?

While it’s rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.

Furthermore, Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company’s network. The samples we analyzed communicated with a local IP address 10.1.252.19 (see Figure 1).


Figure 1: Shamoon malware trying to communicate with IP address 10.1.252.19

The evidence above suggests that this is a two-stage attack:

  • The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command and Control (C&C) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
  • Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C&C through the proxy.

It is still unclear who is behind this attack. We will update this blog with more information when it becomes available.

UPDATE [17-Aug-2012]: Updated the section about Flame, to clarify that it was not used in the same attack as Flame, but rather a different targeted-attack that led to the discovery of Flame.


Is your network compromised? Sign-up to discover threats your other security solutions have missed.



[slideshare id=25564230&doc=howseculertdiscoveredshamoon-130825041410-phpapp01]

14 thoughts on “Shamoon, a two-stage targeted attack

  1. Anonymous

    Follow @cyberstrikenews in twitter to read more detail about the attack, as the hackers publish them through some irc channels we found to be talking about this.

    Reply
  2. Anonymous

    The reason for wiping the harddrive is that the developers of this virus were idiot amateurs. Standard procedure when you figure out a machine is compromised with a virus is to wipe the hard drive. Usually, most of the work is in finding out that the machine has a virus – getting rid of it is *always* easy if you have the knowhow to rebuild from scratch

    Reply
  3. Anonymous

    So when does one know if the virus wipped ARAMCO’s CENTUM CS DCS from yokogawa? This would be great information!!!!

    Reply
  4. Anonymous

    Seems to me that the reason for the destroying of the computer is simple. The computer is the link in the chain and breaking this link you then make it hard to figure where the next link is. In other words its a way to cover your tracks.

    Reply
    1. Alice-Sofia

      It could be the training stage for cyber destroyer. If completed, such malware could destroy specific networks, e.g. defense systems, infrastructure. Potential results: non–controllable and non–manageable weapons, defense systems (for instance, missile shield), energy production–transportation.

      Reply
  5. Anonymous

    Anyone know of any companies in the Middle East that may have been targeted? Or that are a victim of the attack itself?

    Reply
  6. Jules Bartow

    Imagine if a zero-day Shamoon got into NSA, NGA, NRO, DIA, CIA, NMEC, NGIC, DCGS networks at 1:00 am where “Security is Everyone’s Job”, but those with polygraphs complacently fail at defense in depth, trusting the green door to keep evil out while they sleep. What is the difference between ignorance and apathy? They don’t know and they don’t care. When all COMMS, SIGINT, IMINT, HUMINT, and MASINT goes down with backups containing yet another series of trojans that destroy continuity of operations who are they going to call?

    Ask the DCI CIO what the Cyber Emergency 911 is at any of the 3-letter organizations for all the TS/SCI networks connecting the military-intelligence-industrial complex.

    Ask how the 432nd Wing UAV controller network at Creech AFB was infected. Ask how the RQ-170 controlled in Nevada ended up landing in Iran.

    Ask how StratFor and HBGary were taken down.

    Ask how an 82-year old nun gets into the Y-12 weapons grade uranium plant in Oak Ridge Tennessee or an Army Private is credited with starting the Arab Spring using WikiLeaks.

    Where are the people that took oaths to defend their country? Slimy bastards sucking at the teat of big brother slinking away proclaiming, “Not my job.” The Chinese, Russians, and Iranians are probably quietly gobbling up everything the IC is monitoring because government personnel leaving everything to contractors who’s only goal is to grow their contract so they can pay their mortgage, send their kids to college, and plan their next vacation. Few care enough about national security with the discipline to be continuously vigilant.

    Reply
  7. Pingback: Preventing Today’s Advanced Threats is Unrealistic | Seculert Blog on Advanced Persistent Threats and Malware

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>